An often overlooked aspect of HIPAA: secure text messaging part of compliance for call centers

HIPAA (Health Insurance Portability and Accountability Act of 1996), is a piece of legislation that was designed to protect the confidential and sensitive healthcare information. Put as simply as possible, the goal behind HIPAA is to limit who has access to an individual’s healthcare-related records—including medical history, the provision of healthcare, and the details regarding the payment of that care.

For health insurance companies and other organizations involved in the healthcare industry, HIPAA calls specifically for regulation and compliance of document management processes. In particular, HIPAA-compliant organizations must take proper steps to secure and limit access to individual healthcare records and to follow rigid document retention rules. You can click here if you wish to read more about HIPAA compliance.

The Overlooked Side of HIPAA Compliance

The brief description above reflects how most organizations think of and approach HIPAA regulations. However, one often overlooked factor of HIPAA compliance is how these rules for health insurance regulation and compliance affect certain types of “informal communication”—namely, text messaging.

In 2013, Jon Jansen—the CTO of Doc Halo—wrote an engaging guest post for TechTarget, shedding some light on how text messages can play a role in affecting a healthcare organization’s HIPAA compliance. In the article, Jansen described a theoretical scenario where physicians leave the office and go home for the night, “turning the phones over to the call center for the night.”

Here, at this moment, is where text messaging can serve to ruin a health office’s HIPAA compliance. It used to be that physicians would have their call centers page them in the case of a patient update or emergency. Now, with pagers more or less a thing of the past, call centers will instead get in touch with physicians via cell phone. And instead of calling, they’ll do the thing that is closest to the old paging method: They will send text messages.

The good news is that updates to HIPAA have confirmed that mobile communications can be compliant with the law. This news is a relief because more and more physicians, health insurance companies, and other healthcare organizations are either receiving private health information in text message form or are using their mobile devices to access email accounts or document storage databases where that information is stored.

The bad news, however, is that the increased use of mobile devices to access private health data has created more risks and opportunities for that information to be compromised. Text messages, for instance, are not normally a secure form of communication, as most individuals use open cell networks where texts could feasibly be intercepted and read by unintended recipients. Meanwhile, emails sent via mobile devices on public Wi-Fi networks—or, for that matter, any web activity committed on a public Wi-Fi network—can be easily intercepted.

As such, text messages are beholden to unique regulations in order to become HIPAA-compliant.

How to Make Sure Texting is HIPAA Compliant

If your organization is seeking HIPAA compliance and you are worried about mobile platforms, first ask yourself the following questions.

Do you send or receive sensitive patient information or other private health data via text message?

Do you access sensitive patient information or other private health data via email or database on a smartphone or tablet?

If you answered yes to either of these questions, then you need to make sure your texting habits and mobile usage are following HIPAA’s guidelines for health insurance regulation and compliance. This post details the steps that must be taken to reach HIPAA compliance with text messaging. While there is a lot of information to unpack in that article, though, the main takeaway is that any text messages containing private health information must be sent using a “secure texting” process.

The problem with the call center scenario described a few paragraphs up is that, in most cases, call centers are texting physicians using standard public cell phone networks. Most of us send texts via public cell networks every day, so it might be a bit difficult to understand the issue at hand. Essentially, though, when you send a text through a public cell network, the cell phone network keeps a copy of the message on their public servers. “Secure texting,” instead of using a public network, uses a secure virtual private network to send sensitive information. This method is preferable because

1) the information is completely encrypted, and

2) the message is scored locally on a private and secure server

—making it difficult for any outsiders to hack or access said information.

In addition, the administrator of a secure local network can control who has access to text message information, and can delete messages entirely if they are no longer relevant. In other words, secure texting essentially makes it possible for an organization to manage text messages, in the same way they would use a DMS to manage other types of files or data.